Web Application Testing
• Work in groups of six people (teams greater than 6 will be marked as a 0)
• Choose a vulnerable web application (either a vulnerable VM or older software you download and install). You can choose your targets from anywhere e.g. by searching for vulnerable web applications on Exploit-DB or any other vulnerable web application. Then downloading the vulnerable version and installing it or alternatively using a VM with the software already installed
e.g. from vulnhub.com or pentesterlab.com.
• You may exploit a web application vulnerability such as:
– Cross-Site Scripting (XSS)
– SQL Injection (SQLi)
– Authorisation issues
– Authentication issues
– Local File Include (LFI)
– Remote File Include (RFI)
– Command Injection
– File Upload
– NOTE: the vulnerability should not be simplistic such as a default username or password, simple XSS (e.g. without a filter bypass), or simple SQLi (e.g. without a filter bypass)
– Additional marks will be awarded for chaining bugs together e.g. gaining access using SQL Injection and writing a web shell to the server to achieve interactive remote shell access, then optionally privilege escalating to a root or admin account.
• Make a short video of your screen while exploiting the vulnerable application (manual exploitation only), no longer than 2-3 minutes. The video must clearly show that you do not have access to the system before the exploit and then show that access has been achieved after the exploit. It must be clear which IP address is the attacker and which IP address is the target and what level of access you have achieved.
• Write up the issue in a formal PDF report and include the following minimum information. The sample report format from lecture one can be used as a guide:
– Your client is called “Your Secure Crypto Coin Exchange”. This company provides a financial exchange and stores sensitive customer and wallet data. The vulnerable service you have found is externally facing on the internet on a fully patched server. Due to the vulnerability you found, you could access partial financial data for 100 live customers.
– An executive summary of the issue aimed at a non-technical business manager
– An issue box containing the following information aimed at a technical staff member who will be assigned responsibility for fixing the issue:
• Vulnerability title
• Description of the issue
• Proof of concept with sufficient information to reproduce the issue including screenshots
• The vulnerable service and version number
• The operating system version
• Does the attacker need local or remote access?
• Identify if authentication is required or not
• The likelihood of exploitation
• The consequence of exploitation
• The resulting risk
• Remediation steps